OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] RE: STIX Sightings


As a community we need to figure out: are RFIs handled through TAXII query or are they handled via something like a STIX Request Package as Terry proposes.

I do tend to lean towards TAXII query, but if the community likes the STIX Request Pack approach better then we should depreciate the functionality from TAXII Query. I would like to avoid having two different ways to do the same thing.

Aharon




On 10/30/15, 4:55 AM, "Trey Darley" <trey@soltra.com> wrote:

>On 29.10.2015 21:45:21, Terry MacDonald wrote:
>> 
>> PROBLEM:
>> 
>> There is no real mechanism within STIX for a consumer of STIX data
>> to ask a question from the rest of the threat sharing community that
>> they are part of. This functionality is required if we are going to
>> get good multi-directional threat intelligence sharing happening.
>> 
>
>Wow, this is good stuff, Terry! I hadn't fully thought through the
>notion of a broadcast query. Good on ya, man!
>
>> 
>> This is different from the normal 'broadcast' style STIX message,
>> where the message is just sent to all parties and no replies are
>> expected. With STIX request/response there is a direct
>> question/answer relationship required.
>> 
>> Please note this request/response is also different to TAXII Query,
>> as the question is being asked to all members of the channel, rather
>> than just the single TAXII server you are locally connecting to
>> (which is IMHO more where TAXII Query fits in).
>> 
>
>I'm biased, since I've been working on the notional query spec for
>TAXII 2.0, but I think we can solve this via TAXII REST query instead
>of creating two new top-level STIX objects. I've written up my
>proposal for query scoping here [0].
>
>The tl;dr is to add an optional 'broadcast' parameter to TAXII query.
>If not specified, assume that a query is targeting just the local CTI
>repository. If the flag is specified, the CTI repository receiving the
>query acts as a proxy, forwarding the incoming query to all the hosts
>implied by the specified trustgroup(s), collecting the query results,
>and passing them back to the client.
>
>[0]: https://taxiiproject.github.io/taxii2/notional-query-api/#query-scoping
>
>-- 
>Cheers,
>Trey
>--
>Trey Darley
>Senior Security Engineer
>4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
>Soltra | An FS-ISAC & DTCC Company
>www.soltra.com
>--
>"There are only two hard things in Computer Science: cache
>invalidation and naming things." --Phil Karlton


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]